Feds Urge Healthcare Providers, Vendors to Use Strong MFAHIPAA-Covered Entities, Third Parties Reminded to Avoid Authentication Mistakes
Federal regulators are once again reminding healthcare entities and their vendors of the importance of using strong multifactor authentication to help fend off hacks and other compromises, but they also warn about avoiding common mistakes with MFA.
Robust authentication - especially multifactor authentication - provides the first line of defense against intrusions and attacks, and the No. 1 mistake is not implementing multifactor authentication to begin with, according to a Department of Health and Human Services' Office for Civil Rights bulletin issued Friday.
"Healthcare is lagging when it comes to fully adopting multifactor authentication," said Tom Walsh, president of privacy and security consultancy tw-Security. "Some of this could be because of legacy applications and systems that do not support MFA," he told Information Security Media Group.
But clinicians' resistance to using multifactor authentication is not as big of a deterrent to implementing MFA in healthcare environments as it was in the past, he said. "Most people are already using MFA for other personal accounts such as online banking. I think the lag in implementing MFA comes down to resources - money, time and qualified staff to implement MFA."
Also, not all multifactor authentication solutions are equally effective, HHS OCR warned "Some may be more prone to compromise than others," the agency wrote.
"Authentication that requires a user to present multiple instances of the same factor is not multifactor authentication," HHS OCR wrote. For example, "an authentication process requiring a password and PIN is not multifactor authentication because both factors are 'something you know,'" the agency said.
Some entities still don't fully understand that multifactor authentication requires the use of two or more distinct factors. They include something the user knows - such as a password or PIN; something the user possesses - such as a security token or smart ID card; or something inherent to that user, such as a fingerprint, facial recognition other biometric data, HHS OCR wrote.
According to Walsh, one of the most commonly used MFA techniques in healthcare sends a six-digit code via SMS text message or email to a mobile device. "This is probably the least secure," he warned.
Other MFA requires some type of authenticator app that has to be loaded on a smartphone, he said. Also, "there is still the old-school physical token - for example, RSA SecurID - which tends to be a little more secure than relying on a mobile device, which can be lost or stolen," he said.
Weak authentication practices have been central to many recent high-profile cyberattacks and major data breaches, HHS OCR said. And that's not just in the healthcare sector, the agency added.
In a 2021 ransomware attack against a major food company that processes approximately 20% of the U.S. meat supply, perpetrators gained initial access by compromising an old administrator account secured with only a "weak password," HHS OCR said.
This was the attack on the world's largest meat supplier, Brazilian-based JBS, which was forced to shut down its servers in North America and Australia, disrupting operations for about a week.
HHS OCR is the latest federal agency pushing for more widespread adoption of multifactor authentication.
Cybersecurity and Infrastructure Security Agency Director Jen Easterly said last October during an address at a FIDO Alliance conference that technology vendors should "forcefully nudge" users into using MFA (see: US CISA Official: 'Forcefully Nudge' Users to Adopt MFA).
CISA recommends that entities implement phishing-resistant multifactor authentication, which can help detect and prevent disclosures of authentication data to a website or application masquerading as a legitimate system, the HHS bulletin says.
For instance, phishing-resistant multifactor authentication could require a password or user biometric data, combined with an authenticator such as a personal identity verification card or other cryptographic hardware or software-based token authenticator, such as FIDO with WebAuthn authenticator, according to the bulletin.
"The layered defense of a properly implemented multifactor authentication solution is stronger than single-factor authentication such as relying on a password alone," HHS OCR wrote.
Walsh suggested that healthcare sector entities consider integrating password vaults with MFA. Also, "passwordless authentication is probably in the future but we haven’t seen it implemented in healthcare," he said.
But the bottom line, he added, is that "any MFA is probably better than no MFA."